I'm a developer of a server-based web application. My client has organised a virtual server to be hosted with one of their ISPs. The server is running Windows Server 2008 R2. It's a completely standalone machine (i.e. no domain, no policies pushed down, etc) and I have total control over it. I should note that while I know a reasonable amount about Windows, I'm not a server admin myself and don't know a great deal about how to manage servers.

However, the ISP doesn't provide any sort of VPN or other security for accessing the machine. They've opened the ports I need publicly open, but the RDP ports are causing me some concern. I need to be able to RDP in from a few machines, and unfortunately some of these have dynamic IPs due to being mobile machines.

Although the application is minimal risk, I still really don't like having RDP open to the world as well - unfortunately, the options they've given me are:

open RDP to the world so I can use Windows Firewall on the server to manage the IPs that are allowed to access the machine

open RDP to specific IPs at their firewall level

I was wondering if there are any other solutions anyone can think of which will let me secure RDP but somehow open it to particular IPs as I need to, and that would work on a standalone machine like this?

Thanks for the suggestion - I took a quick look at OpenVPN, it looks like it would do exactly what I want, but it also seems to need a bit more infrastructure knowledge and experience than I have! However I'll pass this on to a couple of infrastructure friends and see if I can call in a favour - thanks!
–
JohnJun 22 '11 at 4:23

One thing I've done for some Security through Obscurity is to change the Remote Desktop port number from the default 3389, to something else. That and a very strong username/password combo on the server is about all you're going to be able to do without adding additional software to the mix (something I always try to avoid whenever possible).

You could try running an SSH server on it (I think there are Windows ports of SSH, never used any myself) and you could setup an SSH tunnel, through which you could run Remote Desktop.

Enabling the PPTP on the server and requiring one or some of the encrypted authentication mechanisms should be fine as the RDP session is also encrypted as well. No new software for the most part, mainly just enabling the PPTP functionality and then running the RDP through it (and closing its port to the rest of the Internet).